Webshell Detection With Command Line Keywords

Detects certain command line parameters often used during reconnaissance activity via web shells

Sigma rule (View on GitHub)

  1title: Webshell Detection With Command Line Keywords
  2id: bed2a484-9348-4143-8a8a-b801c979301c
  3status: test
  4description: Detects certain command line parameters often used during reconnaissance activity via web shells
  5references:
  6    - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
  7    - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
  8    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
  9author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson
 10date: 2017-01-01
 11modified: 2024-12-14
 12tags:
 13    - attack.persistence
 14    - attack.discovery
 15    - attack.t1505.003
 16    - attack.t1018
 17    - attack.t1033
 18    - attack.t1087
 19logsource:
 20    category: process_creation
 21    product: windows
 22detection:
 23    selection_webserver_image:
 24        ParentImage|endswith:
 25            - '\w3wp.exe'
 26            - '\php-cgi.exe'
 27            - '\nginx.exe'
 28            - '\httpd.exe'
 29            - '\caddy.exe'
 30            - '\ws_tomcatservice.exe'
 31    selection_webserver_characteristics_tomcat1:
 32        ParentImage|endswith:
 33            - '\java.exe'
 34            - '\javaw.exe'
 35        ParentImage|contains:
 36            - '-tomcat-'
 37            - '\tomcat'
 38    selection_webserver_characteristics_tomcat2:
 39        ParentImage|endswith:
 40            - '\java.exe'
 41            - '\javaw.exe'
 42        CommandLine|contains:
 43            - 'catalina.jar'
 44            - 'CATALINA_HOME'
 45    selection_susp_net_utility:
 46        OriginalFileName:
 47            - 'net.exe'
 48            - 'net1.exe'
 49        CommandLine|contains:
 50            - ' user '
 51            - ' use '
 52            - ' group '
 53    selection_susp_ping_utility:
 54        OriginalFileName: 'ping.exe'
 55        CommandLine|contains: ' -n '
 56    selection_susp_change_dir:
 57        CommandLine|contains:
 58            - '&cd&echo'  # china chopper web shell
 59            - 'cd /d '  # https://www.computerhope.com/cdhlp.htm
 60    selection_susp_wmic_utility:
 61        OriginalFileName: 'wmic.exe'
 62        CommandLine|contains: ' /node:'
 63    selection_susp_powershell_cli:
 64        Image|endswith:
 65            - '\cmd.exe'
 66            - '\powershell.exe'
 67            - '\pwsh.exe'
 68        CommandLine|contains:
 69            - ' -enc '
 70            - ' -EncodedCommand '
 71            - ' -w hidden '
 72            - ' -windowstyle hidden'
 73            - '.WebClient).Download'
 74    selection_susp_misc_discovery_binaries:
 75        - Image|endswith:
 76              - '\dsquery.exe'
 77              - '\find.exe'
 78              - '\findstr.exe'
 79              - '\ipconfig.exe'
 80              - '\netstat.exe'
 81              - '\nslookup.exe'
 82              - '\pathping.exe'
 83              - '\quser.exe'
 84              - '\schtasks.exe'
 85              - '\systeminfo.exe'
 86              - '\tasklist.exe'
 87              - '\tracert.exe'
 88              - '\ver.exe'
 89              - '\wevtutil.exe'
 90              - '\whoami.exe'
 91        - OriginalFileName:
 92              - 'dsquery.exe'
 93              - 'find.exe'
 94              - 'findstr.exe'
 95              - 'ipconfig.exe'
 96              - 'netstat.exe'
 97              - 'nslookup.exe'
 98              - 'pathping.exe'
 99              - 'quser.exe'
100              - 'schtasks.exe'
101              - 'sysinfo.exe'
102              - 'tasklist.exe'
103              - 'tracert.exe'
104              - 'ver.exe'
105              - 'VSSADMIN.EXE'
106              - 'wevtutil.exe'
107              - 'whoami.exe'
108    selection_susp_misc_discovery_commands:
109        CommandLine|contains:
110            - ' Test-NetConnection '
111            - 'dir \'  # remote dir: dir \<redacted IP #3>\C$:\windows\temp\*.exe
112    condition: 1 of selection_webserver_* and 1 of selection_susp_*
113falsepositives:
114    - Unknown
115level: high

References

Related rules

to-top